-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-ecs): ECS Exec Support #13618
Comments
We may also want to consider modifying the task role since "the task role will need to have IAM permissions to log the output to S3 and/or CloudWatch if the cluster is configured for these options. If these options are not configured then these IAM permissions are not required." |
Is there any way one could use this functionality before it has higher-level support within CDK? |
@mbeacom Hi! Thanks so much for opening this issue -- was wondering if you were actively working on this? If so I can tag it as "in-progress"! |
@underbluewaters you can use escape hatches to set the You can access the underlying L1 resource of any construct or use the L1 classes directly until we add these properties to the corresponding higher level constructs. See the above docs for details. |
Note: CfnSpec with update on ECS Service for |
@MrArnoldPalmer Thanks! I was able to get it working with the following code: // const cfnService = ecsService.node.defaultChild as CfnService;
// doesn't work, see
// https://github.com/aws/aws-cdk/issues/10666
const cfnService = ecsService.node.children[0] as CfnService;
cfnService.addOverride("Properties.EnableExecuteCommand", "True"); I had to be sure to add the following permissions to the task execution role: const role = new iam.Role(this, "MaintenanceRole", {
assumedBy: new ServicePrincipal("ecs-tasks.amazonaws.com"),
inlinePolicies: {
ecsExec: new PolicyDocument({
statements: [
new PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
resources: ["*"],
}),
],
}),
},
});
const taskDefinition = new ecs.FargateTaskDefinition(
this,
"SeaSketchMaintenanceFargateTaskDef",
{
cpu: 256,
executionRole: role,
memoryLimitMiB: 512,
}
); |
@SoManyHs Yes, I'd be more than happy to (as long as an ETA of this weekend will suffice). |
Hi @mbeacom, were you still planning on submitting a PR for this? Thanks! |
@SoManyHs Yes, apologies for the delay. I can push this out shortly! |
Hi @mbeacom, |
Hi @mbeacom! We're planning on prioritizing this in our next sprint -- since we haven't heard from you in awhile I'll go ahead and unassign you. Thanks for your help, and feel free to reach out if you have other input! |
Hi, just updating the issue with the current status on the feature. The implementation involves enabling support for the |
…e log group (#14947) This PR adds a public method `logGroupPhysicalName()` to access the physical name of a log group which is a private property of the `Resource` class. This change is needed to enable using KMS keys with log groups for use with ECS exec. Related: #13618 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes #13618 This PR adds support for ECS exec command. It adds necessary IAM permissions for the AWS Systems Manager (SSM) to enable exec and also adds IAM permissions for allowing the exec command result logs to be routed to either CloudWatch logs/ S3 Bucket or both. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…e log group (aws#14947) This PR adds a public method `logGroupPhysicalName()` to access the physical name of a log group which is a private property of the `Resource` class. This change is needed to enable using KMS keys with log groups for use with ECS exec. Related: aws#13618 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes aws#13618 This PR adds support for ECS exec command. It adds necessary IAM permissions for the AWS Systems Manager (SSM) to enable exec and also adds IAM permissions for allowing the exec command result logs to be routed to either CloudWatch logs/ S3 Bucket or both. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
As of March 16, ECS now supports remote execution similar to docker exec.
Use Case
As a user, I want the capability to execute commands against an AWS ECS Fargate / EC2 container (similar to docker exec) workloads managed by CDK.
Proposed Solution
CloudFormation's
AWS::ECS::Service
resource currently supports the boolean property:EnableExecuteCommand
Expose this to the aws-ecs's
FargateService
similar toenableEcsManagedTags
Other
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: